Perform a Local File Inclusion Attack [100% Working]

Ethical hacking

Reviewer: Deepak Prasad

Local file inclusion (LFI) is a type of cyber attack in which an attacker is able to gain access to sensitive information stored on a server by exploiting the server’s vulnerabilities and including local files. An attacker will look for insecure coding practices and flaws in the system that can be exploited to gain access to sensitive files, such as those containing system settings, configuration files, and other sensitive data.

This type of attack can be used to gain access to sensitive data, such as passwords, credit card numbers, and other confidential information. It can also be used to gain unauthorized access to the server, allowing the attacker to install malicious software or corrupt the system.



  1. PC running on Kali Linux.
  2. A running instance of OWASP Juice Shop
  3. Have dirbuster tool installed on your Kali Linux instance.


Installing OWASP Juice Shop

To demonstrate the local file inclusion exploit on a web application, we will be using OWASP Juice Shop. You can choose to run OWASP Juice Shop on your local machine or run it using its docker container that can be found on the docker hub. You can refer to this guide on downloading and running OWASP Juice Shop container here.



Dirbuster is a popular open-source tool used to discover hidden directories and files on web servers. It is an essential tool for web application security testing, as it can uncover local file inclusion vulnerabilities. It works by brute forcing directories and file names on web servers. It can be used to discover directories and files that are not linked from any web page but are still accessible. By using Dirbuster, security testers can find potentially vulnerable local files that are not accessible through standard web browsing. Dirbuster can also be used to discover hidden directory structures, which can aid in identifying potential attack vectors.

Local file inclusion is one type of vulnerability that Dirbuster can detect. It occurs when a web application includes or references a file on the local file system, instead of a secure remote location. By exploiting this vulnerability, an attacker can gain access to sensitive local files, which can lead to further attacks. Dirbuster is an invaluable tool for security testers, as it can help uncover local file inclusion vulnerabilities and other hidden resources on web servers.


Installing Dirbuster

Installing Dirbuster on Kali Linux is as easy as running a single command. To install we will run the command.

sudo apt install dirbuster

local file inclusion


Scanning for directories

Before we run the local file inclusion attack, we first need to do some reconnaissance on our target. Reconnaissance will help us determine some of the directories found on the target’s web server. Dirbuster is our go-to tool to use for scanning. To scan the target using Dirbuster we will run the command.

dirbuster http://<IP>:PORT

In our case, the command is as shown in the image below.

local file inclusion

To make the scan more effective, we can indicate the wordlist to be used by the Dirbuster. Using tools such as Crunch, we can generate world lists containing the names of the directories that are more likely to be found.

After the scan is complete, we can see the folders that have been found on the target web server in the image below. From these directories, we can be able to find a folder from which we will launch the local file inclusion attack.

local file inclusion


Local File Inclusion exploit

Now we have directories that may contain files of interest for the local file inclusion attack. We have to browse through each of the to determine the one we want. When we visit the first directory (, we can only see a blank screen. On the next link (http;//;3000/ftp), we find various files as shown in the image below.

local file inclusion


In the image above, we can see a package.json file. Bad actors may exploit vulnerabilities found in the dependencies being used to compromise a target system. When we try to open the file, we run into an error as shown in the image below.

local file inclusion


As we can see in the image, only .md and .pdf files can be opened by a user on the web server. After scouring the internet for some time, I found out we can perform a Null Byte Injection on our target server to download the prohibited files by adding %00 or %2500 followed by the allowed extension.

We try adding %00.pdf on the link to find out if it works but nothing happens. Onto the next, we add %2500.pdf on the link as shown in the image below.

local file inclusion

A pdf is automatically downloaded to our downloads folder. If you look closely, this is the “package.json.bak” which has been downloaded but it has a .pdf extension as shown in the image below.

local file inclusion

We can remove the “%00.pdf” from the file to revert it back to its original form as seen on the server and we finally open it to view the dependencies required by our target website. Some of the dependencies required by OWASP Juice Shop are as shown in the image below.

local file inclusion

From here, a bad actor can exploit vulnerabilities found on specific versions of these dependencies. Moreover, an intruder can download other important files found in the scanned directories which could mean more harm and damage to the website owner and the users. Some of these files include the .env files which contain the environment variables.



Local file inclusion can be prevented by properly securing the system, such as using a web application firewall and properly coding to ensure that all requests are properly validated. In addition, proper security protocols should be implemented, such as using strong passwords and two-factor authentication.

The consequences of a successful local file inclusion attack can be severe, not only for the targeted system but also for the organization as a whole. Not only can sensitive information be exposed, but the attacker can also use the access to gain access to additional systems and resources, potentially putting the entire organization’s network.

It is essential for organizations to take the necessary steps to mitigate the risk of a Local File Inclusion (LFI) attack by properly configuring their web applications and servers. By following best practices such as validating user input, patching vulnerable web applications and servers, and implementing access control measures, organizations can protect themselves from this type of attack. Taking the proper security measures can help prevent the devastating effects of an LFI attack, allowing organizations to remain secure and successful.


Views: 171
Kennedy Muthii

Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to

Thank You for your support!!

Leave a Comment